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CERT  Insider  Threat  Center — Mission 


Assist  organizations  in  identifying  indications  and  warnings  of 
insider  threat  by 

•  performing  vulnerability  assessments 

•  assisting  in  the  design  and  implementation  of  policies, 
practices,  and  technical  solutions 


based  on  our  ongoing  research  of  hundreds  of  actual  cases 
of  insider  IT  sabotage,  theft  of  intellectual  property, 

fraud,  and  espionage 
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Definition  of  Insider  Threat 

The  CERT  Program’s  definition  of  a  malicious  insider 
is  a  current  or  former  employee,  contractor,  or 
business  partner  who  meets  the  following  criteria: 

•  has  or  had  authorized  access  to  an  organization’s 
network,  system,  or  data 

•  has  intentionally  exceeded  or  intentionally  used 
that  access  in  a  manner  that  negatively  affected  the 
confidentiality,  integrity,  or  availability  of  the 
organization’s  information  or  information  systems 
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Methods 


•  Research 

•  Empirical  Evidence 

•  Contarol  Hypothesis 

•  Control  Implementation  and  Testing 

•  Control  Pilot 

•  Revisions 

•  Release 
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Common  Sense  Guide  to 
Mitigating  Insider  Threats, 

4th  Edition 
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Who  does  the  CSG  apply  to? 


•  Information  Technology  /  IT  Security 

•  Physical  Security 

•  Software  Engineering 

•  Data  Owners 

•  Legal 

•  Human  Resources 

•  . everyone  across  the  organization 
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New  Features 


•  Mappings  to  other  best  practices  /  standards 
.  NIST  800-53 

•  ISO  27002 

•  CERT  RMM 


•  Quick  wins  &  High  Impact  Solutions 

•  Quick  reference  guide 
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Practices  you  are  familiar  with 


Consider  threats  from  insiders  and  business 
partners  in  enterprise-wide  risk 
assessments. 

Consider  insider  threats  in  the  software 
development  life  cycle. 

Clearly  document  and  consistently  enforce 
policies  and  controls. 

Use  extra  caution  with  system 
administrators  and  technical  or  privileged 
users. 

Institute  periodic  security  awareness 
training  for  all  employees. 

Implement  system  change  controls. 

Monitor  and  respond  to  suspicious  or 
disruptive  behavior,  beginning  with  the 
hiring  process. 

Log,  monitor,  and  audit  employee  online 
actions. 

Anticipate  and  manage  negative  workplace 
issues. 

Use  layered  defense  against  remote 
attacks. 

Track  and  secure  the  physical  environment. 

Deactivate  computer  access  following 
termination. 

Implement  strict  password  and  account 
management  policies  and  practices. 

Implement  secure  backup  and  recovery 
processes. 

Enforce  separation  of  duties  and  least 
privilege. 

Develop  an  insider  incident  response  plan. 
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New  Best  Practices 


•  Practice  9:  Define  explicit  security  agreements  for  any 
cloud  services,  especially  access  restrictions  and 
monitoring  capabilities. 

•  Practice  16:  Develop  a  formalized  insider  threat 
program. 

•  Practice  17:  Establish  a  baseline  of  normal  network 
device  behavior. 

•  Practice  18:  Be  especially  vigilant  of  emerging  social 
media  trends. 

•  Practice  19:  Close  the  doors  to  unauthorized  data 
exfiltration. 
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Practice  9 


Define  explicit  security  agreements  for  any  cloud 
services,  especially  access  restrictions  and  monitoring 
capabilities. 


•  Conduct  a  Risk  Assessment  before  entering  into 
any  agreement. 

•  Chose  a  cloud  service  provider  that  meets  or 
exceeds  the  organization’s  own  levels  of  security. 

•  Understand  how  the  cloud  provider  protect  data 
and  other  assets. 
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Practice  16 

Develop  a  formalized  insider  threat  program. 

•  Work  with  Legal  Counsel. 

•  Requires  involvement  from  various  departments 
across  the  organization. 

•  Share  information. 
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Inputs  /  Data  Feeds  to  Insider  Threat  Program 


Insider  Threat  Team 


• 

Data  Owners 

•  Physical  Security 

• 

Legal 

•  F acilities  Operations 

• 

Human  Resources 

•  N  on-m  anagem  ent  work  er  s 

• 

Inform  ation  T  echnologv 

•  Internal  Audit 

• 

SOC'CSIRT 

•  Quality  Assurance 

• 

Software  Engineers 

•  Contracting  Group  or  COTR 

• 

Union  Representative 

•  Partners  Suppliers  and  Contractors 

Note:  Text  below  the  separator  in  each  box  notes  the  federal  government's  equivalent  position 
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Inputs  /  Data  Feeds  to  Insider  Threat  Program1 


Practice  17 


Establish  a  baseline  of  normal  network  device  behavior. 


•  Know  what  is  normal  and  abnormal  for  a  given  system. 

•  Excessive  traffic,  Insufficient  traffic 

•  Store  logs  for  60  days  or  longer 
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Practice  18 


Be  especially  vigilant  regarding  social  media. 

•  T rain  users  to  be  aware  of  what  they  post 

•  Small  disclosures  of  information  can  create  bigger 
problems 

•  Develop  a  social  media  policy 
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Practice  19 

Close  the  doors  to  unauthorized  data  exfiltration. 

•  Understand  how  data  can  leave  the  organization. 

•  Control  removable  media. 

•  Watch  for  “old  school”  methods:  printers,  copiers, 
etc. 
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Technical  Controls: 

Preventing  Data 
Exfiltration 
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The  Problem 


•  Organizations  need  to  use  web  based  services  on 
a  daily  basis  for  business  needs.  However, 
services  that  offer  the  ability  to  upload  attachments 
present  an  opportunity  for  sensitive  data  to  leave 
the  organization. 


•  Communications  that  are  secured  with  SSL 

encryption  are  difficult  to  inspect  and  therefore  it  is 
difficult  to  detect  and  prevent  sensitive  data  from 
leaving  the  organization. 


(CE^ 


Q^pj  Software  Engineering  Institute  CamegieMellon 


Managing  The  Insider  Threat: 

What  Every  Organization  Should  Know 
Twitter  #CERTinsiderthreat 
©  2013  Carnegie  Mellon  University 


Data  Loss  Through  the  Web 


Difficult  problem 


Perfect  exfiltration  channel 

•  Encrypted 

•  Appears  “normal” 

•  Send  many  files  at  once 

•  Possibly  essential  to 
operations 
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What  can  be  done  to  prevent  this? 

Options: 

1.  Implement  policies  regarding  how  sensitive 
information  is  disseminated 

2.  Full  packet  capture  of  all  Internet  traffic  for  further 
analysis 

3.  White  listing 

4.  Block  all  webmail  services 

5.  Allow  all  webmail  services  and  cross  your  fingers 

6.  Or... 
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CERT’s  Solution 

•  Allow  proxied  Internet  access  to  any  website 

•  Inspect  encrypted  communication  sessions  for 
sensitive  documents 

•  Block  sensitive  attachments  from  being  uploaded  to 
the  Internet 
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Blocking  Documents 

Documents  can  be  stopped  based  on  three  methods: 

1.  Block  all  attachments 

2.  Keywords 

3.  Tags 
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The  Proxy  Server 
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Man-in-the-Middle  (MITM)  Proxy 


MERIT  CORP 
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The  Proxy  Server  Main  Components 


Ubuntu  Linux  Version  10.04  LTS 
Squid  Version  3.1.19 
.  C-ICAP 

Clam  Antivirus  (ClamAV) 
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Client  Configuration 


•  The  Organization's  Certificate  needs  installed  in  the  Trusted  Root 
Certificate  Store  on  each  client 

Internet  Explorer  needs  to  be  configured  to  use  the  proxy  on  port 
3128  for  HTTP/S  traffic 

Both  of  these  settings  can  be  configured  using 

Group  Policy 
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Shortcomings 

•  Not  very  granular 

•  Doesn’t  account  for  the  scenario  where  text  is  copied 
and  pasted  into  an  email 
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Solution: 


•  What  if  we  could  inspect  all  text  flowing  through  the 
network? 

•  Rather  than  look  for  ‘tags’  or  keywords,  look  for 
similarity 

•  How  do  we  test  document  similarity? 

•  Cosine  similarity  algorithms 

•  Laymen’s  terms:  Plagiarism  Detection 

•  Even  though  we’re  not  checking  for  plagiarism  in 
academic  papers,  the  process  is  virtually  identical 
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The  Plagiarism  Detection  Method 

•  Rather  than  asking 

•  “Does  any  text  in  this  document  sufficiently  match 
anything  within  its  cited  references?” 

•  We’re  asking 

•  “Does  any  text  in  this  outgoing  network  traffic 
sufficiently  match  anything  within  our  repository  of 
intellectual  property?” 

•  If  not  -  send  it  through 

•  If  so  -  create  an  alert  and/or  actively  block  the  traffic 
from  leaving  the  organization’s  perimeter 
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Open  Source  Tools 


•  Squid  proxy  server 


•  Apache  Lucene 


•  Apache  Tika 


•  GreasySpoon  ICAP  server 
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Apache  Lucene 

•  Powerful  open-source  text  indexer  and  search  engine 

•  Used  in  IBM’s  famous  Watson  Al  system 

•  Scalable,  fast,  and  mature 

•  Perfect  for  our  needs 


a 


Order  of  Events 


User  sends  a  webmail  message 


Proxy  receives  the  webmail  message 


Proxy  forwards  the  webmail  message  to  GreasySpoon  ICAP  server 


GreasySpoon  ICAP  server  forwards  the  webmail  message  to  Apache  Lucene  indexer 


Apache  Lucene  indexer  ‘scores’  the  outgoing  text  against  all  indexed  documents  containing  intellectual 

property 


If  any  computed  score  exceeds  the  organization’s  defined  threshold  (ex:  50%),  either  create  an  alert  and / 

or  block  the  outgoing  webmail  message 
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Shortcomings 

•  Tuning  the  threshold  is  difficult 

•  Does  not  detect  encodings  other  than  ASCII  or  Unicode 

•  Processing  intensive 

•  Large  index  (lots  of  duplicated  data) 

•  Index  contains  sensitive  information 
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Future  Work 

•  Create  an  efficient  open-source  DLP  framework  for 
correlating  any  given  input  data  with  any  set  of  data, 
regardless  of  their  type  (i.e.  text,  image,  raw) 

•  Tagging  network  traffic  with  usernames  and  other 
attribution  information 

•  Improving  our  “Tagger”  tool  to  automatically  store  file 
usage  information  within  documents  when  they  are 
created/accessed/modified 
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Upcoming  Control  Topics 

•  Two  Man  Control  For  Operating  Systems 

•  Why  is  it  so  hard? 

•  Better  Forensics  for  Insider  Threat  Indicators 

•  How  to  use  what  we  know  more  effectively 
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Point  of  Contact 


Randy  Trzeciak 

Technical  Manager,  CERT  Insider  Threat 

CERT  Division 

Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-3890 
+1  412  268-7040 -Phone 
rft@cert.org  -  Email 


http://www.cert.org/insider_threat/ 
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